Krebs on Security

In-depth security news and investigation

There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

On January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May. In my March 02 piece Credit Unions Feeling Pinch in Wendy’s Breach, I quoted B. Dan Berger, CEO of the National Association of Federal Credit Unions, saying the he’d heard from three credit union CEOs who said the fraud they’ve experienced so far from the Wendy’s breach has eclipsed what they were hit with in the wake of the Home Depot and Target breaches.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

Bertini said part of the problem was that the breach happened in two waves. He said the outside forensics investigators that were assigned to the case by the credit card associations initially found 300 locations that had malware on the point-of-sale devices, but that the company’s own investigators later discovered a different strain of the malware at some locations. Bertini declined to provide additional details about either of the malware strains found in the intrusions.

“In recent days, our investigator has identified this additional strain or mutation of the original malware,” he said. “It just so happens that this new strain targets a different point of sale system than the original one, and we just within the last few days discovered this.”

The company also emphasized that all of the breached stores were franchised — not company-run — entities. Here is the statement that Wendy’s provided to KrebsOnSecurity, in its entirety:

Based on the preliminary findings of the previously-disclosed investigation, the Company reported on May 11 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants. An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, the Company directed its investigator to continue to investigate.

In this continued investigation, the Company has recently discovered a variant of the malware, similar in nature to the original, but different in its execution. The attackers used a remote access tool to target a POS system that, as of the May 11 th announcement, the Company believed had not been affected. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated. To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

Many franchisees and operators throughout the retail and restaurant industries contract with third-party service providers to maintain and support their POS systems. The Company believes this series of cybersecurity attacks resulted from certain service providers’ remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers.

The malware used by attackers is highly sophisticated in nature and extremely difficult to detect. Upon detecting the new variant of malware in recent days, the Company has already disabled it in all franchise restaurants where it has been discovered, and the Company continues to work aggressively with its experts and federal law enforcement to continue its investigation.

Customers may call a toll-free number (888-846- 9467) or email PaymentCardUpdate@wendys.com with specific questions.

Wendy’s statement that the attackers got access by stealing credentials that allowed remote access to point-of-sale terminals should hardly be surprising: The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to hacked remote access accounts that POS service providers use to remotely manage the devices.

Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone.

Gavin Waugh, vice president and treasurer at The Wendy’s Company, declined to say whether Wendy’s has any timetable for deploying chip-based readers across it’s fleet of stores — the vast majority of which are franchise operations.

“I don’t think that would have solved this problem, and it’s a bit of a misnomer,” Waugh said, in response to questions about plans for the deployment of chip-based readers across the company’s U.S. footprint. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”

Avivah Litan, a fraud analyst with Gartner Inc., said chip readers at Wendy’s would help, but only if the company can turn them on to accept chip transactions. As I noted in February, although a large number of merchants have chip card readers in place, many still face delays in getting the systems up to snuff with the chip card standards.

Litan said the biggest bottleneck right now to more merchants accepting chip cards is first getting their new systems certified as compliant with the chip card standard (known as Europay, Mastercard and Visa or EMV). And the backlog among firms that certify retailers as EMV compliant is rapidly growing.

Litan said the reality is that chip cards will continue to have magnetic stripes on them for many years to come.

“Unless the mag stripe data is not transmitted anymore and you get rid of the mag stripe, there is always going to be card data compromised, stolen and counterfeited,” Litan said.

This entry was posted on Thursday, June 9th, 2016 at 5:39 pm and is filed under Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

61 comments

Basically, when POS get hacked, its because they had no filesystem validation system in place that works. Most of these people rely on their vendor to support and send patches, which they never try to validate against Change control. They all off-shored their support to fictional experts over seas years ago.

Implementing something like Tripwire(probably something cheaper) and validating against the company change control process finds this crap very fast. 24hours max before being alerted upon.

I worked for many retailers and this is the first thing I tell all of them.

Every one of them said its to expensive, or it takes years to roll out because vendors for POS software, certification for the filesystem checkers takes months/years, or is too expensive.

The other part is network finger printing. You know exactly what that POS system is supposed to be sending, its not random crap, its to a back-end server, that does 1 thing 100% of the time. If you see any packets of any type not conforming to the fingerprint you flag and send people in to find out why.

This isn’t rocket science. Until you penalize companies for not paying to prevent, it will continue. In the mind of IT, you just need some random VP to sign off “that not implementing preventive measures” then its not the IT Depts fault, and they move on to the next sexy project that might get some manager promoted.

Perhaps rewarding companies with some sort of rating might help, but right now the PCI process everyone says is the minimum standard is hilarious. It lets you play the game, it doesn’t make you a winner by a long shot. Waivers anyone, I worked for a company that had over 50,000 waivers, most of which didn’t even have a department owner and were years old and just re-waivered each year. These waivers basically say your PCI requirements are not worried about here, move along.

It continues to be a fact that companies who have experienced a breach are strongly motivated to minimize the reporting and impact. The choice is clear: lie or tell part of the truth and something bad may result, or tell the whole truth and something bad will always result. Where is the motivation to tell the truth, early, and completely? Just like politics. No punishment for lying.